Hi Daniel, > The last one is not the best solution, because of the fact that you rely > on randomness. I would suggest you take a more comprehensive approach. Agreed. If I had enough users and enough nodes, randomness would approach other methods for effectiveness, but that's not the case here. > As the machines are snmp enabled, you just have to write a custom > daemon, receiving on port 22 (ssh) as a front-end and check which > machine is most idle and dnat the user there, for the DNAT to be able to Slight aside: I don't want to check the load at time of login, because that would significantly slow down the login process. The load checking would be done periodically--say every 5 or 15 minutes or so--and the results would force a change to the DNAT rule. > work, you would have to send an RST packet back to the ssh client and > wait for it to reconnect to the already DNAT-ted machine. That would be > a working solution. As long as you don't wanna have millions of rules on > the redirecting machine, you just have to "count" the active logins(use > pam_script for example) and remove the rules as long as the last shell > quits. You would like to have all simultaneous logins on the same > machine, so you'll have to check on a new login if the user is still > there and put it on the same machine. Just think about the RST packet, > cause i think it's not the most elegant solution as long as the user > will get a "Connection closed by remote site" msg. I've considered that (keeping all logins together on the same head node). My feelings on that are: (0) The users should not actually need to have multiple logins on the same real host. If their environment is not consistent across the hosts, there is another problem. (1) Once the user logs in and is redirected, they have the option to 'manually' log in to that node for subsequent sessions. (2) Tracking user logins so I can make this automatic for them is desirable, however, it would be non-trivial to implement robustly. (3) So, that would be 'version 2'! :) >> Hi Drew, >> >> maybe you should take a look on "iptables random" - target. >> >> Something like >> >> iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ >> -m random --average $[100/$howmuchserveryouvegot] \ >> -j DNAT --to $server1 >> >> iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ >> -m random --average $[100/$howmuchserveryouvegot] \ >> -j DNAT --to $server2 >> >> ... >> >> Only one idea, but remember "the last rule should realy match" ;-) >> >> Hope this is the right syntax. >> >> Best >> >> Sven -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@xxxxxxx / +1250 472 5055 (office) / +1250 588 4311 (cel)
